vector icon indicating copy to clipboard operation
vector copied to clipboard

Published 20 hours ago verified publisher icon vectordotdev

fix(GcpAuthenticator): Improve token regeneration

Open garethpelly opened this issue 1 year ago • 3 comments
trafficstars

Ref: https://github.com/vectordotdev/vector/issues/19614

Summary: This PR modifies the timing strategy used to regenerate the GCP authentication token.

I'm not a rust expert but when looking into the above GH Issue, it would seem that the 401 responses being returned from Google are likely as a result of a missed tick in the token_regenerator function.

Currently, the expires_in value (in seconds) is read from the token and divided by 2 in order to determine the Interval period to use as tick frequency. If the expires_in value is 1000, there would be two ticks: one at 500 seconds in the future and another at 1000. If the second tick is delayed for any reason, then Vector will send an out of date token to Google which will result in 401s. Rust's default MissedTickBehaviour is Burst, and Vector will eventually trigger the tick resulting in it acquiring a new valid token. However, during this scenario events will be dropped.

Instead, this PR aims to ensure that the first tick lands at a midway point in the window (300 seconds remaining) when the Metadata server will expire its cache and provide a new valid token. In order to prevent against any further drift with expiry and Interval ticks, the tick is reset using the expires_in value when a token is regenerated rather than relying on the start time + period calculated solely from the first token acquired.

The period (expires_in / 2) calculation is maintained since its not clear to me why this strat was selected initially.

garethpelly avatar May 29 '24 08:05 garethpelly

CLA assistant check
All committers have signed the CLA.

bits-bot avatar May 29 '24 08:05 bits-bot

Thanks @lukesteensen! Had to take a slightly different angle on your suggestion in order to get it working correctly.

garethpelly avatar Jun 07 '24 10:06 garethpelly

@lukesteensen The gentle-ist of nudges regarding this PR to see if its fit to be merged 😄

We've been running it (or a previous iteration of it) for almost 4 weeks in production and no 401 responses have been observed. TIA

garethpelly avatar Jun 28 '24 17:06 garethpelly

@lukesteensen thanks for the new feedback, I've incorporated the simplification suggestion 👍

garethpelly avatar Jul 01 '24 09:07 garethpelly

@lukesteensen likewise, thank you too! FYI, I've pushed a small codestyle fix which was tripping up the PR checks.

garethpelly avatar Jul 02 '24 10:07 garethpelly

Regression Detector Results

Run ID: 9c05915d-8de6-4082-a3ab-b2b07428dbeb Metrics dashboard

Baseline: 7025e2da2a41d5dca055af5ada1f0066ac93cf8f Comparison: 1c4800892cc70cc8cc59c8b28a69d757841d308f

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

Significant changes in experiment optimization goals

Confidence level: 90.00% Effect size tolerance: |Δ mean %| ≥ 5.00%

perf experiment goal Δ mean % Δ mean % CI links
socket_to_socket_blackhole ingress throughput -7.34 [-7.40, -7.28]
file_to_blackhole egress throughput -24.92 [-30.88, -18.96]

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI links
syslog_humio_logs ingress throughput +2.42 [+2.29, +2.55]
datadog_agent_remap_blackhole ingress throughput +1.32 [+1.22, +1.42]
datadog_agent_remap_datadog_logs_acks ingress throughput +1.04 [+0.79, +1.28]
syslog_log2metric_tag_cardinality_limit_blackhole ingress throughput +0.50 [+0.39, +0.62]
syslog_regex_logs2metric_ddmetrics ingress throughput +0.31 [+0.13, +0.49]
syslog_log2metric_splunk_hec_metrics ingress throughput +0.24 [+0.13, +0.35]
http_to_http_json ingress throughput +0.07 [+0.01, +0.12]
http_to_http_noack ingress throughput +0.05 [-0.00, +0.10]
splunk_hec_indexer_ack_blackhole ingress throughput +0.04 [-0.04, +0.12]
splunk_hec_to_splunk_hec_logs_noack ingress throughput +0.00 [-0.09, +0.10]
splunk_hec_to_splunk_hec_logs_acks ingress throughput -0.01 [-0.13, +0.12]
http_to_http_acks ingress throughput -0.04 [-1.36, +1.27]
splunk_hec_route_s3 ingress throughput -0.15 [-0.53, +0.23]
datadog_agent_remap_datadog_logs ingress throughput -0.50 [-0.73, -0.26]
http_to_s3 ingress throughput -0.52 [-0.79, -0.25]
syslog_splunk_hec_logs ingress throughput -0.68 [-0.79, -0.57]
otlp_grpc_to_blackhole ingress throughput -0.93 [-1.04, -0.82]
syslog_loki ingress throughput -1.13 [-1.20, -1.05]
http_elasticsearch ingress throughput -1.22 [-1.40, -1.04]
datadog_agent_remap_blackhole_acks ingress throughput -1.49 [-1.68, -1.31]
fluent_elasticsearch ingress throughput -1.53 [-2.02, -1.04]
http_text_to_http_json ingress throughput -2.54 [-2.66, -2.43]
syslog_log2metric_humio_metrics ingress throughput -2.74 [-2.89, -2.59]
otlp_http_to_blackhole ingress throughput -4.04 [-4.16, -3.92]
socket_to_socket_blackhole ingress throughput -7.34 [-7.40, -7.28]
file_to_blackhole egress throughput -24.92 [-30.88, -18.96]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

github-actions[bot] avatar Jul 02 '24 23:07 github-actions[bot]

Regression Detector Results

Run ID: 5969a6cc-fd12-4066-b86c-a4613fac7e2a Metrics dashboard

Baseline: b2d3fe18d13bc4c5160e41810f87da09308967f6 Comparison: 1589eb334421d17d0afd00fee5a37666eda1f0ed

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00% Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI links
otlp_http_to_blackhole ingress throughput +4.38 [+4.24, +4.52]
splunk_hec_route_s3 ingress throughput +4.03 [+3.64, +4.43]
syslog_log2metric_splunk_hec_metrics ingress throughput +2.22 [+1.93, +2.51]
http_text_to_http_json ingress throughput +0.77 [+0.61, +0.92]
otlp_grpc_to_blackhole ingress throughput +0.74 [+0.63, +0.86]
socket_to_socket_blackhole ingress throughput +0.62 [+0.56, +0.68]
syslog_regex_logs2metric_ddmetrics ingress throughput +0.30 [+0.11, +0.48]
http_elasticsearch ingress throughput +0.13 [-0.02, +0.28]
http_to_http_json ingress throughput +0.09 [+0.03, +0.14]
datadog_agent_remap_blackhole ingress throughput +0.06 [-0.05, +0.17]
http_to_s3 ingress throughput +0.03 [-0.24, +0.30]
splunk_hec_indexer_ack_blackhole ingress throughput +0.01 [-0.07, +0.09]
splunk_hec_to_splunk_hec_logs_noack ingress throughput +0.00 [-0.10, +0.10]
http_to_http_noack ingress throughput +0.00 [-0.02, +0.02]
splunk_hec_to_splunk_hec_logs_acks ingress throughput -0.00 [-0.12, +0.12]
syslog_loki ingress throughput -0.06 [-0.16, +0.04]
datadog_agent_remap_blackhole_acks ingress throughput -0.29 [-0.42, -0.15]
datadog_agent_remap_datadog_logs ingress throughput -0.30 [-0.51, -0.10]
syslog_log2metric_humio_metrics ingress throughput -0.35 [-0.52, -0.18]
fluent_elasticsearch ingress throughput -0.47 [-0.96, +0.02]
file_to_blackhole egress throughput -0.74 [-7.89, +6.41]
http_to_http_acks ingress throughput -0.78 [-2.08, +0.53]
syslog_splunk_hec_logs ingress throughput -1.53 [-1.61, -1.44]
syslog_log2metric_tag_cardinality_limit_blackhole ingress throughput -1.63 [-1.73, -1.53]
datadog_agent_remap_datadog_logs_acks ingress throughput -1.71 [-1.91, -1.51]
syslog_humio_logs ingress throughput -2.48 [-2.61, -2.35]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

github-actions[bot] avatar Jul 02 '24 23:07 github-actions[bot]